New Autorun.inf, Different from before...
     |
|
|
  Jan 14 2009, 11:27 PM
Show posts by this member only |This post's rating (0+, 0-) | Post
#1
|
 Good Rig + Timeless = Waste  Group: Senior Member Posts: 1,812 Ratings earned: 0+, 0- Ratings given: 0+, 0- Joined: Oct 2006 From: Perai ---> Nibong Tebal (USM Eng Campus)   |
Here is my case,
My computer are clean and not infected. So, whenever I plug in pendrive, I close the autorun, and open winrar and destination is the pendrive/portable hdd, if there is autorun.inf, I just deleted and the pendrive is clean again... Now my problem is, the autorun.inf is unable to delete it that way, coz it is write-protected right now... and I scan with my kaspersky internet security, it have below log... 1/14/2009 10:29:45 PM Detected: Net-Worm.Win32.Kido.eo G:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx 1/14/2009 10:29:53 PM Untreated: Net-Worm.Win32.Kido.eo G:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx Postponed 1/14/2009 10:32:51 PM Detected: Net-Worm.Win32.Kido.eo G:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx 1/14/2009 10:33:03 PM Untreated: Net-Worm.Win32.Kido.eo G:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx Skipped by user I am unable to clean it with the kaspersky and Ninja pendrive... coz it is in the RECYCLER folder and it is access denied and write protected... and method to fixed it? I know I can format it and make it clean again, but my portable hdd have too many data and I cant afford to format it. |
   |
 
|
|
|
Jan 15 2009, 11:41 AM
Show posts by this member only |This post's rating (0+, 0-) | Post
#2
|
 Casual Group: Junior Member Posts: 326 Ratings earned: 0+, 0- Ratings given: 0+, 0- Joined: Jun 2008 From: Selangor |
Empty your recycle bin...
|
|
|
|
|
|
Jan 15 2009, 02:41 PM
Show posts by this member only |This post's rating (0+, 0-) | Post
#3
|
|
Good Rig + Timeless = Waste Group: Senior Member Posts: 1,812 Ratings earned: 0+, 0- Ratings given: 0+, 0- Joined: Oct 2006 From: Perai ---> Nibong Tebal (USM Eng Campus) |
QUOTE(sanjayws @ Jan 15 2009, 11:41 AM) Empty your recycle bin...  The RECYCLER is inside the portable HDD, not my recycle bin... it is different... |
|
|
|
|
|
Jan 16 2009, 02:11 AM
Show posts by this member only |This post's rating (0+, 0-) | Post
#4
|
 Newbie Group: Junior Member Posts: 25 Ratings earned: 0+, 0- Ratings given: 0+, 0- Joined: Jan 2005 |
hi there. try to reboot with your pendrive plugged then go to safe mode and log in as administrator.
Then try use the cmd and set the attrib -s -h -r remove it. |
|
|
|
|
|
Jan 16 2009, 09:19 AM
Show posts by this member only |This post's rating (0+, 0-) | Post
#5
|
 Getting Started Group: Junior Member Posts: 84 Ratings earned: 0+, 0- Ratings given: 0+, 0- Joined: Jan 2008 |
QUOTE(cschun86 @ Jan 15 2009, 02:41 PM) The RECYCLER is inside the portable HDD, not my recycle bin... it is different... I also had same problem like that last week... My office pc (Trendmicro Officescan) detect it but cannot delete..but my lappy (NIS2009) detect & deleted the virus. The virus known (by NIS) as W32.Downadup!Autorun & W32.Downadup.B. |
|
|
|
|
|
Jan 16 2009, 09:32 AM
Show posts by this member only |This post's rating (0+, 0-) | Post
#6
|
 LYN T-Shirt Designer '..::-/^\-::..' Group: Senior Member Posts: 1,018 Ratings earned: 0+, 0- Ratings given: 0+, 0- Joined: Sep 2006 From: there to here.. |
yeah..recycler.
i have delete it using Unlocker.. after a few days..its coming back any other solution? |
|
|
|
|
|
Jan 16 2009, 03:35 PM
Show posts by this member only |This post's rating (0+, 0-) | Post
#7
|
|
Getting Started Group: Junior Member Posts: 84 Ratings earned: 0+, 0- Ratings given: 0+, 0- Joined: Jan 2008 |
info about the virus from Panda Security. » Click to show Spoiler - click again to hide... «
|
|
|
|
|
|
Jan 16 2009, 06:17 PM
Show posts by this member only |This post's rating (0+, 0-) | Post
#8
|
 Newbie Group: Junior Member Posts: 9 Ratings earned: 0+, 0- Ratings given: 0+, 0- Joined: Jan 2008 |
i just remove this worm from my notebook. avira cannot detect it at all. it also block websites that contain certain words on the url (worm, microsoft, etc..)
To remove Win32.Worm.Downadup follow these steps: 1. disable System Restore 2. download and install MS08-067 vulnerability patch from http://www.microsoft.com/technet/security/...n/MS08-067.mspx 3. unplug your network cable or disable your network device 4. run the removal tool developed by BitDefender Labs. http://www.malwarecity.com/media/files/anti-downadup.zip source This post has been edited by pjoe8: Jan 16 2009, 06:22 PM |
|
|
|
|
|
Jan 17 2009, 12:09 AM
Show posts by this member only |This post's rating (0+, 0-) | Post
#9
|
|
Good Rig + Timeless = Waste Group: Senior Member Posts: 1,812 Ratings earned: 0+, 0- Ratings given: 0+, 0- Joined: Oct 2006 From: Perai ---> Nibong Tebal (USM Eng Campus) |
hmm.. mine like hunk-u said,
hmm, but the text in quote didnt mention any solution... and the worm doesnt allow me to install the microsoft update and the removal tool detect my system clean, but it is in the portable hdd, how? This post has been edited by cschun86: Jan 17 2009, 12:23 AM |
|
|
|
|
|
Jan 17 2009, 08:43 AM
Show posts by this member only |This post's rating (0+, 0-) | Post
#10
|
|
Getting Started Group: Junior Member Posts: 84 Ratings earned: 0+, 0- Ratings given: 0+, 0- Joined: Jan 2008 |
you can try this...
In Folder Options uncheck 'Hide protected operating system files' then explore yr portable HDD, delete Recycler folder. I don't know whether this works for you but it works for me..  Good luck. This post has been edited by hunk-u: Jan 18 2009, 12:19 PM |
|
|
|
|
|
Jan 18 2009, 09:59 PM
Show posts by this member only |This post's rating (0+, 0-) | Post
#11
|
 Newbie Group: Junior Member Posts: 5 Ratings earned: 0+, 0- Ratings given: 0+, 0- Joined: Aug 2005 |
For those infected, anti-Downadup should be able to fix it. If you cant access the link provided by pjoe8, use the below alternative link. The worm will block most antivirus/antispyware websites as well as microsoft's website.
Anti-Downadup There are cases where anti-downadup manage to detect possible DLL with the worm but did not remove it. Just drill down to C:\WINDOWS\system32 and remove file manually. Other cases will be where certain registry cant be removed. Open regedit and change that particular folder's permission, remove it manually if neccessary. (Please make sure you know what you're doing with regedit, one wrong move the result can be devastating!) All the best!  |
|
|
|
|
|
Jan 18 2009, 11:01 PM
Show posts by this member only |This post's rating (0+, 0-) | Post
#12
|
 mogok Group: Senior Member Posts: 827 Ratings earned: 0+, 0- Ratings given: 0+, 0- Joined: Jun 2006 From: orchid city   |
i'm using autorun eater. still in progress. so far ok
|
|
|
|
|
|
Jan 19 2009, 08:40 AM
Show posts by this member only |This post's rating (0+, 0-) | Post
#13
|
 --------------------- Group: Senior Member Posts: 5,923 Ratings earned: 0+, 0- Ratings given: 0+, 0- Joined: Jan 2003 |
btw, TS, what's your OS? if u can't access Windows Update, i'll try to download the correct patch from MS and upload to RS ...
even fully removed and ur OS still not fully patched, the worm will still comes back to exploit the vulnerability ... **update: new tools are here - ** This post has been edited by cybpsych: Mar 13 2009, 07:59 PM |
|
|
|
|
|
Jan 19 2009, 12:55 PM
Show posts by this member only |This post's rating (0+, 0-) | Post
#14
|
|
Good Rig + Timeless = Waste Group: Senior Member Posts: 1,812 Ratings earned: 0+, 0- Ratings given: 0+, 0- Joined: Oct 2006 From: Perai ---> Nibong Tebal (USM Eng Campus) |
QUOTE(hunk-u @ Jan 17 2009, 08:43 AM) you can try this... In Folder Options uncheck 'Hide protected operating system files' then explore yr portable HDD, delete Recycler folder. I don't know whether this works for you but it works for me.. Good luck. Doesnt work, it said no access permission =.=" QUOTE(fourstrings @ Jan 18 2009, 09:59 PM) For those infected, anti-Downadup should be able to fix it. If you cant access the link provided by pjoe8, use the below alternative link. The worm will block most antivirus/antispyware websites as well as microsoft's website. Anti-Downadup There are cases where anti-downadup manage to detect possible DLL with the worm but did not remove it. Just drill down to C:\WINDOWS\system32 and remove file manually. Other cases will be where certain registry cant be removed. Open regedit and change that particular folder's permission, remove it manually if neccessary. (Please make sure you know what you're doing with regedit, one wrong move the result can be devastating!) All the best! it doesnt block my site, and I think my computer is clean, coz from the tools above it show it is clean, just my portable hdd isnt clean.... QUOTE(cybpsych @ Jan 19 2009, 08:40 AM) btw, TS, what's your OS? if u can't access Windows Update, i'll try to download the correct patch from MS and upload to RS ... i'm uploaded two removal tools from F-Secure and Bitdefender to Rapidshare --> http://rapidshare.com/files/182316709/tools.rar even fully removed and ur OS still not fully patched, the worm will still comes back to exploit the vulnerability ... Vista Ultimate 64bit. uhm, I will try again and see.. |
|
|
|
|
|
Jan 19 2009, 02:01 PM
Show posts by this member only |This post's rating (0+, 0-) | Post
#15
|
|
--------------------- Group: Senior Member Posts: 5,923 Ratings earned: 0+, 0- Ratings given: 0+, 0- Joined: Jan 2003 |
cshun86, here's the patch for Vista: http://rapidshare.com/files/185822016/KB958644.rar
double-click the .MSU file to patch your system. |
|
|
|
|
|
Jan 19 2009, 02:18 PM
Show posts by this member only |This post's rating (0+, 0-) | Post
#16
|
|
--------------------- Group: Senior Member Posts: 5,923 Ratings earned: 0+, 0- Ratings given: 0+, 0- Joined: Jan 2003 |
I'm attaching a better way to totally disable *Autorun.inf* being executed in any removal drives.
Attached File(s) 
NoAutoRun.zip ( 284bytes )
Number of downloads: 2079 |
|
|
|
|
|
Jan 19 2009, 02:41 PM
Show posts by this member only |This post's rating (0+, 0-) | Post
#17
|
 Getting Started Group: Junior Member Posts: 146 Ratings earned: 0+, 0- Ratings given: 0+, 0- Joined: Feb 2006 From: Big Cookie Co. |
QUOTE(cybpsych @ Jan 19 2009, 02:18 PM) I'm attaching a better way to totally disable *Autorun.inf* being executed in any removal drives. Thanks. Works like a charmed. |
|
|
|
|
|
Jan 19 2009, 03:04 PM
Show posts by this member only |This post's rating (0+, 0-) | Post
#18
|
|
--------------------- Group: Senior Member Posts: 5,923 Ratings earned: 0+, 0- Ratings given: 0+, 0- Joined: Jan 2003 |
thanks for your feedback, abe_mad
 QUOTE Note on this tweak: The usual tweak that is available in this forum and Internet disable the "NoDriveTypeAutoRun" registry key. However, it can be bypassed with a little-known registry key called "MountPoints2"; which contains cached information about every memory stick or other removable device which your PC has ever seen. With this, it overrides the "NoDriveTypeAutoRun" value if you insert a volume which the PC already knows about. So in the end, your previously-plugged in thumbdrive still executes Autorun/Autoplay, thus begin the infection cycle. This tweak tells Windows to treat AUTORUN.INF as if it were a configuration file. Process is like this: "whenever Windows have to handle a file called AUTORUN.INF, don't use the values from the file. You'll find alternative values at HKEY_LOCAL_MACHINE\SOFTWARE\DoesNotExist." And since that key, does not exist, it's as if AUTORUN.INF is completely empty, and so nothing autoruns, and nothing is added to the Explorer double-click action. Result: worms cannot get in - unless you start double-clicking executables to see what they do, in which case, you deserve to have your PC infected. ok guys/gals, i've updated the removal pack with the following: 1) Contain F-Secure, BitDefender, and Symantec removal tools. 2) Added Microsoft's hotfixes to patch the vulnerability associated with this worm. Hotfixes in this pack are for Win2K, WinXP (32/64bit) and Vista (32/64bit). Use accordingly. 3) Added registry tweak to disable execution of Autorun.inf file in any removable drives. **update: new tools are here - ** This post has been edited by cybpsych: Mar 13 2009, 08:00 PM |
|
|
|
|
|
Jan 19 2009, 11:28 PM
Show posts by this member only |This post's rating (0+, 0-) | Post
#19
|
 Mega Duck Group: Senior Member Posts: 3,723 Ratings earned: 0+, 0- Ratings given: 0+, 0- Joined: Jan 2003 From: PJ - Subang |
what if u try it with Avira AntiVir Rescue System CD? it's a free.
|
|
|
|
|
|
Jan 20 2009, 09:08 AM
Show posts by this member only |This post's rating (0+, 0-) | Post
#20
|
|
--------------------- Group: Senior Member Posts: 5,923 Ratings earned: 0+, 0- Ratings given: 0+, 0- Joined: Jan 2003 |
F-Secure's Downadup Removal Tool (Updated: 19 Jan 2009)
ftp://ftp.f-secure.com/anti-virus/tools/beta/f-downadup.zip note: this was updated by f-secure after i uploaded my package. instead of me reupload or you redownload the 11MB, download this instead. |
|
|
|
 |
| Lo-Fi Version | Time is now: 10th February 2010 - 05:32 AM |
All Rights Reserved 2003-2009 Vijandren Ramadass (~living on a prayer~)
Powered by Invision Power Board(Trial) © 2010 IPS, Inc.